University of Chicago SUPERgroup

Usable Security and Privacy
Problem Set 4

Due on Canvas at 1:00pm on Monday, April 30th1:00pm on Thursday, May 3rd.

Problem 1 (20 points)

People reuse passwords across accounts. As a result, password breaches cause major security issues in many cases. For this problem, imagine that you are in charge of IT Security for UChicago, and that Facebook recently suffered a major password breach. You find plaintext passwords from Facebook on the dark web, and some of the usernames and passwords in that leaked data are the same (or similar to) username-password pairs at UChicago. Follow the NEAT and SPRUCE guidelines to craft a notification to potentially impacted UChicago users. You should turn in:

  1. One paragraph describing what details you believe to be most important to communicate, and why.
  2. One paragraph describing the decisions you made in designing your breach notification grounded in the NEAT and SPRUCE guidelines discussed in class.
  3. A sentence or two describing how this notification will be distributed (over email? etc.) and to whom.
  4. A mock-up of the breach notification itself. (Make sure it looks nice.)

Problem 2 (50 points)

While we have been focusing on designing interfaces and software to help users make security and privacy decisions, we have yet to spend much time engaging with how attackers exploit predictable human behaviors.

We have created 500 different password hashes for each member of the class spread across three different sets. (Each set represents a different hash function.) You can download the three sets of hashes for your username here. Your deliverable for this problem is to submit the plaintext passwords (hash preimages) for as many of these password hashes as you can crack. Upload the pot file that results from Hashcat, and we will automatically parse this file and give you credit for all of the passwords you crack.

We have uploaded a cracking tutorial here. For performing the actual password cracking, we highly recommend hashcat, which is an excellent open-source tool for password recovery.

We do not expect you to crack all of the hashes; far from it! Crack as many as you can, but you will receive a maximum of 50 points for this part of the problem set (1 point for each successful crack from set 1, 3 points for each successful crack from set 2, and 20 points for each successful crack from set 3). Note that the cracking process will take time, so start early!

Problem 3 (15 points)

Political activists frequently fear being surveilled by a wide range of adversaries (ranging from governments to opposing factions), yet often lack the technical knowledge to keep themselves secure and private.

To help bridge this gap, create a 1-2 page overview for (non-technical) activists outlining what you believe to be the essential steps they can take to protect their privacy and security, including everything you think they need to know. We'd like to actually distribute some of these (with your permission), so style counts! Think about what you could imagine receiving as a handout (one-sided or two-sided). Think also about the best designed infographics you have seen and use those as aesthetic inspiration. Please turn in the following:

  1. One paragraph describing the kinds of activists for whom you have designed this notice, as well as what assumptions you've made about them.
  2. The overview page itself (single-sided or double-sided).
  3. Citations to any sources you used to develop the information contained in your overview

Here are some starting resources you might consider when deciding what advice to include or leave out:

Problem 4 (15 points)

Write a first draft of the methodology section for your group's research project. For the purpose of the homework assignmet, each team member should do this individually. Afterwards, your team will have a whole set of methodology drafts, which will allow you to combine the strongest aspects of each.